Catch of the Day

We review billions of logs daily to keep our customers safe from attacks. Here are some stories “that never happened” from files “that do not exist”.

Emotet Caught in a City

The Network: A municipal government serviced by an MSP requested that the EventTracker SIEM sensor be installed on hundreds of monitored endpoints.

The Expectation: EventTracker Co-Managed SIEM services, advanced endpoint protection, and behavior analytics would deliver added protection for the government agency.

The Catch: Over a weekend, and within hours of onboarding, the municipal government serviced by an MSP was found to be infected by Emotet malware which had mutated and propagated throughout the network. The threat was discovered and contained following two email exchanges with our SOC, providing the MSP time to deal with the problem in an orderly manner during normal business hours the following business day, knowing that the threat had been neutralized.

The Find: Just two hours after installation, our SOC alerted the MSP of suspicious activity in the network. In the meantime, EventTracker security analysts started a deep-dive investigation including:

Assessing the extent of infection in the customer environment

Collecting incidents of compromise (IOCs) which could later be used by EventTracker’s advanced features like suspicious process termination and behavior analytics

The Fix: After a second notification from EventTracker, the MSP authorized the automatic shutdown of bad processes and IP communication, neutralizing the threat and providing the MSP and the municipality time to remediate and recover from the infection. This was made possible due to the collaboration afforded by Co-Managed SIEM services and the SIEM platform’s machine learning and automated response capabilities.

Our SOC responded to the customer with all investigation findings and informed them that all EventTracker sensors at the infected customer premise were updated with EventTracker’s advanced suspicious process learning and process lockdown options, which contained further malware propagation.

The Lesson: Our observation and investigation found that the below best practices could have limited the spread of incident:

Firewall best practices, like an implicit deny-all-service rule would have terminated all unknown ports communicating outside the customer infrastructure

Latest Catches

This site uses cookies to store information on your computer. Some are essential to make our site work; others help us improve the user experience. By using the site, you consent to the placement of these cookies. Read our Privacy Statement to learn more.